>The attack is on the client by a malicious server - a client can't DoS
>a server with this bug. We generally don't put much effort into making
>the client resilient to DoS from a hostile server.

I'm confused. Why would this be an attack on the client? The client is
the one putting the glob (the server isn't pushing this as far as I can
see). I do see a CPU spike (and blocking on the ability to execute any
subsequent commands) on the client, but I also see (excessive?) CPU
usage on the host.

Interestingly, subsequent sftp connections to the host, doing the same
thing do not increase CPU usage significantly.

Is this something you would be interested in disputing with MITRE over
the CVE assignment?

I see you also said:

>actually, the CVE description is nonsensical. sftp-server doesn't
>process globs in requests at all. All glob expansion is done by
>the client.
>
>So a user entering a malicious glob is DoSing their own end of the
>connection.

Doing further testing, I'm inclined to agree with you. At best this is
a client DoS, but they are doing it to themselves (but you implied
malicious server above, so I'm not sure whether this should be
considered a flaw from a malicious server and the description needs to
be revised, or if this should be rejected outright since self-inflicted
issues shouldn't really be considered security flaws).

Thanks for the response, Damien. If you could clarify the malicious
server bit you mentioned above, then I can engage with MITRE one way or
the other.